fix(deps): update dependency undici to v8

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
undici (source)	^7.0.0 → ^8.0.0

---

Release Notes

nodejs/undici (undici)

v8.5.0

Compare Source

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in
v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	8.5.0	32dbf0b3
GHSA-38rv-x7px-6hhq	CVE-2026-9675	High (7.5)	8.5.0	b4c287b3
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	8.5.0	42d49559
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	8.2.0	a516f870
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	8.5.0	cb105d7c
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	8.5.0	5655ea43
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	8.5.0	5655ea43
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	8.5.0	6ea54ef8

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream
  against untrusted endpoints.
• Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770
Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size
across a fragmented message. An attacker could send many small fragments that
each pass per-frame validation but collectively exceed the configured limit,
causing memory exhaustion. This is a regression introduced in 8.1.0 (the
6.x and 7.x lines are not affected).

• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295
Fix: 42d49559 fix: honor requestTls when proxy is SOCKS5

The ProxyAgent silently discarded the requestTls option when configured with
a SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as ca, cert, key, rejectUnauthorized, and servername,
falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.

• Affected: ProxyAgent / Socks5ProxyAgent over SOCKS5 that rely on
  requestTls.
• Workaround: route traffic through an HTTP-proxy ProxyAgent, where
  requestTls functions correctly.

Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734

GHSA-hm92-r4w5-c3mj · CWE-346 · Fixed in 8.2.0
Fix: a516f870 fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#​5041)

Socks5ProxyAgent reused a single connection pool across different origins
without verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.

• Affected: applications using Socks5ProxyAgent across multiple origins
  (introduced via #​4385).
• Workaround: use a separate agent instance per origin.

---

Moderate severity

Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678

GHSA-pr7r-676h-xcf6 · CWE-524
Fix: cb105d7c fix(cache): trim qualified field names

The cache interceptor mishandled responses with whitespace-padded
Cache-Control directives such as private=" authorization". In shared-cache
mode this could cause authenticated data to be cached and served to other users.

• Affected: apps using the cache interceptor in shared mode that forward
  Authorization upstream and receive non-canonical qualified directives.
• Workaround: disable shared-cache mode for authenticated traffic, avoid
  caching authenticated responses, or add Vary: Authorization upstream.

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

GHSA-p88m-4jfj-68fv · CWE-93
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly

parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#​3789.

• Workaround: sanitize values before forwarding — strip or reject CR, LF,
  NUL, ;, and =.

---

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

GHSA-g8m3-5g58-fq7m · CWE-183
Fix: 5655ea43 fix(cookies): preserve values and parse SameSite strictly

The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: 6ea54ef8 fix: guard idle socket validation to skip fresh sockets, hardened by c9fbe9d2 keep idle validation on native timers (#​5397) and ac5394b8 keep idle validation on global timers (#​5407)

An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.

• Requirements: attacker-controlled/compromised upstream and active
  keep-alive reuse.
• Workaround: disable keep-alive reuse with keepAliveTimeout: 0 on the
  Client or Pool.

---

Also in v8.5.0 (non-security)

v8.5.0 shipped the security fixes above alongside the following changes. These
are not security fixes — they are listed for completeness of the release. (The
two queue-poisoning hardening PRs, #​5397
and #​5407, are covered under
CVE-2026-6733 above and are not repeated here.)

• HTTP/2: #5408 don't rewind kPendingIdx past in-flight requests · #5391 allow h2 POST request multiplexing · #5406 reap idle HTTP/2 sessions · #5410 preserve h2 queue on out-of-order completion
• Features: #5416 add bodyMixin.textStream() · #5418 align EventSource with spec
• Docs / CI / tests: #5413 document request header validation · #5383 absorb h2 stream timeout resets (test) · #5420 remove stale repro + lint · #5426 extend Windows CI timeout · #5427 detect available python in WPT runner

Full changelog: v8.4.1...v8.5.0.

---

Credits

Per-advisory credits (as recorded in each GHSA):

• CVE-2026-12151 — reported by @​lpinca & @​Nadav0077; reviewed by @​UlisesGascon.
• CVE-2026-9675 — reported by @​mauriceng98 & @​Str1ckl4nd; fixed by @​mcollina & @​KhafraDev; reviewed by @​UlisesGascon.
• CVE-2026-9697 — reported by @​tonghuaroot; reviewed by @​UlisesGascon.
• CVE-2026-6734 — reported by @​ChALkeR; reviewed by @​mcollina; verified by @​UlisesGascon.
• CVE-2026-9678 — fixed by @​mcollina; reviewed by @​UlisesGascon.
• CVE-2026-9679 — reported by @​tndud042713; fixed by @​mcollina; reviewed by @​KhafraDev & @​UlisesGascon.
• CVE-2026-11525 — fixed by @​mcollina; reviewed by @​UlisesGascon.
• CVE-2026-6733 — fixed by @​mcollina; verified by @​UlisesGascon.

v8.4.1

Compare Source

What's Changed

• test: avoid localhost lookup in fetch cookies tests by @​mcollina in #​5363
• fix: prevent race condition between onEnd and onTrailers in HTTP/2 client (#​5216) by @​mcollina in #​5343
• fix(dns): skip requests without origin by @​marko1olo in #​5376
• docs: add Getting Started guide by @​AliMahmoudDev in #​5371
• docs: fix code examples that crash at runtime and other inaccuracies by @​AliMahmoudDev in #​5386
• fix: handle paused parser on socket end (issue #​5360) by @​mcollina in #​5389
• fix(client): reject pipelined TLS altname errors by @​marko1olo in #​5373
• docs: fix multiple inaccuracies in API documentation by @​AliMahmoudDev in #​5384
• docs: fix remaining broken links in API documentation by @​AliMahmoudDev in #​5342

New Contributors

• @​marko1olo made their first contribution in #​5376

Full Changelog: nodejs/undici@v8.4.0...v8.4.1

v8.4.0

Compare Source

What's Changed

• fix: register connect listener before initiating requests in close-and-destroy test by @​mcollina in #​5272
• test: stabilize tls-cert-leak regression by @​mcollina in #​5306
• fix: replace tspl with native test context in test/examples.js by @​mcollina in #​5300
• http2: remove redundant request stream binding by @​trivikr in #​5302
• test: limit cache-tests workers on Windows by @​mcollina in #​5309
• test: use test context cleanup hooks in parser issue tests by @​mcollina in #​5282
• Add redirect option to strip headers on redirect by @​mcollina in #​5281
• chore(test): fix lint failure by @​aduh95 in #​5316
• chore(ci): use npm ci instead of npm install by @​aduh95 in #​5315
• docs: clarify formData security considerations by @​mcollina in #​5320
• docs: add EventSource server example by @​Will-thom in #​5321
• fix(core): simplify addAbortListener util by @​aduh95 in #​5317
• build(deps-dev): bump ws from 8.20.0 to 8.21.0 by @​dependabot[bot] in #​5325
• build(deps-dev): bump jsondiffpatch from 0.7.3 to 0.7.6 by @​dependabot[bot] in #​5313
• docs: match undici EoL to node version it's bundled in by @​trivikr in #​5330
• fix: handle all HTTP/2 request stream sync errors by @​mcollina in #​5311
• fix: preserve timeout errors for HTTP/2 requests by @​mcollina in #​5091
• fix(core): normalize autoSelectFamily timeout AggregateError by @​youcefzemmar in #​5329
• chore(core): define kEnumerableProperty atomically by @​aduh95 in #​5332
• chore(core): use regex.exec instead of string.match by @​aduh95 in #​5331
• fix: reset invalid HTTP/2 sessions by @​mcollina in #​5310
• feat(connect): add preferH2 connector option to offer h2 first in ALPN by @​Antamansid in #​5327
• test: fix flaky http2 trailers test by @​mcollina in #​5338
• fix(mock): restore single-arg MockCallHistory.filterCallsByX by @​youcefzemmar in #​5328
• docs: document missing error types in Errors.md by @​cesarvspr in #​5339
• build(deps): bump github/codeql-action from 4.35.3 to 4.36.1 by @​dependabot[bot] in #​5346
• build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 by @​dependabot[bot] in #​5347
• build(deps): bump uWebSockets.js from v20.67.0 to v20.68.0 in /benchmarks by @​dependabot[bot] in #​5352
• build(deps): bump concurrently from 9.2.1 to 10.0.3 in /benchmarks by @​dependabot[bot] in #​5353
• build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.4 by @​dependabot[bot] in #​5348
• build(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @​dependabot[bot] in #​5351
• build(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​5349
• docs: improve connect option documentation in Client.md by @​AliMahmoudDev in #​5344
• fix(mock): do not persist snapshots on close in playback mode by @​GeoffreyBooth in #​5359
• fix(fetch): remove abort listener when request settles by @​ATOM00blue in #​5318
• test: add Node.js global fetch regression coverage by @​mcollina in #​5361
• fix(h2): make Client multiplex on h2 (#​4143) by @​mcollina in #​5362

New Contributors

• @​Will-thom made their first contribution in #​5321
• @​youcefzemmar made their first contribution in #​5329
• @​Antamansid made their first contribution in #​5327
• @​cesarvspr made their first contribution in #​5339
• @​AliMahmoudDev made their first contribution in #​5344
• @​ATOM00blue made their first contribution in #​5318

Full Changelog: nodejs/undici@v8.3.0...v8.4.0

v8.3.0

Compare Source

What's Changed

• fix: preserve pool capacity after removing stale client by @​trivikr in #​5151
• build(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @​dependabot[bot] in #​5157
• build(deps): bump actions/upload-artifact from 5.0.0 to 7.0.1 by @​dependabot[bot] in #​5162
• build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @​dependabot[bot] in #​5156
• chore(http2): collapse duplicate request stream setup by @​trivikr in #​5140
• perf(client): cache HTTP/2 authority by @​trivikr in #​5141
• build(deps-dev): bump borp from 0.20.2 to 1.0.0 by @​dependabot[bot] in #​4819
• types: add TOpaque to client connect options by @​samuel871211 in #​4928
• build(deps): bump tinybench from 5.1.0 to 6.0.1 in /benchmarks by @​dependabot[bot] in #​4688
• build(deps): bump codecov/codecov-action from 5.5.1 to 6.0.0 by @​dependabot[bot] in #​4950
• build(deps): bump actions/dependency-review-action from 4.8.1 to 4.9.0 by @​dependabot[bot] in #​4951
• test(fetch): add userinfo coverage for issue-4897 URLs by @​mcollina in #​4901
• perf: avoid duplicate pool dispatcher selection on backpressure by @​trivikr in #​5149
• build(deps): bump actions/setup-node from 6.2.0 to 6.4.0 by @​dependabot[bot] in #​5163
• build(deps): bump step-security/harden-runner from 2.14.1 to 2.19.1 by @​dependabot[bot] in #​5160
• build(deps): bump cronometro from 5.3.0 to 6.0.3 in /benchmarks by @​dependabot[bot] in #​4687
• build(deps): bump github/codeql-action from 4.35.1 to 4.35.3 by @​dependabot[bot] in #​5161
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in #​4853
• build(deps): bump hendrikmuhs/ccache-action from 1.2.22 to 1.2.23 by @​dependabot[bot] in #​5158
• build(deps): bump fastify/github-action-merge-dependabot from 3.11.2 to 3.12.0 by @​dependabot[bot] in #​5159
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in #​4854
• build(deps): bump uWebSockets.js from v20.64.0 to v20.66.0 in /benchmarks by @​dependabot[bot] in #​5130
• docs: mention install() also installs WebSocket globals by @​mcollina in #​5174
• types: stop interfering with @​types/node by @​Renegade334 in #​5173
• fix: align h2 empty body content-length methods with h1 by @​trivikr in #​5172
• build(deps-dev): bump fast-check from 4.6.0 to 4.7.0 by @​dependabot[bot] in #​5192
• build(deps-dev): bump typescript from 6.0.2 to 6.0.3 by @​dependabot[bot] in #​5191
• test: move cleanup from finally to after hooks by @​trivikr in #​5194
• test: resolve flaky timeout in issue-3356 by @​trivikr in #​5188
• SnapshotAgent: Add normalizeBody and normalizeQuery by @​GeoffreyBooth in #​5121
• fix(socks5): use configured connector in Socks5ProxyAgent by @​trivikr in #​5168
• perf(http2): avoid isArray checks for common headers by @​trivikr in #​5170
• fix(test): make deduplicate body-streaming test non-flaky by @​mcollina in #​5196
• test(retry): add regression test for RetryAgent + HTTP/2 stream timeout (#​5137) by @​mcollina in #​5176
• fix(socks5): preserve dispatch backpressure return value by @​trivikr in #​5166
• perf(http2): end zero-length request bodies with headers by @​trivikr in #​5169
• fix(test): make issue-2898-comment.js assertion robust against flakiness by @​mcollina in #​5208
• test: disable timeouts in h2 high concurrency regression by @​trivikr in #​5205
• test: deflake stream compat coverage by @​mcollina in #​5209
• fix(dispatcher): remove unreachable assert in writeBlob by @​SAY-5 in #​5231
• fix: clean up benchmark resources before worker exit by @​trivikr in #​5225
• test: avoid per-chunk assertions in diagnostics get by @​trivikr in #​5224
• test: capture cache test worker stderr and preserve failures by @​trivikr in #​5206
• chore: gitignore benchmarks/package-lock.json by @​trivikr in #​5228
• perf(proxy-agent): avoid extra header allocations in auth guard by @​trivikr in #​5164
• test(wpt): retry WPT server startup on port conflicts or timeout by @​trivikr in #​5215
• test: make websocket diagnostics ping-pong ordering deterministic by @​trivikr in #​5222
• test(websocket): fix flaky send test by @​mcollina in #​5232
• fix: prevent node-fetch test server close from hanging on Windows by @​mcollina in #​5246
• test: wait for cache test server to listen by @​trivikr in #​5242
• fix: accept unknown-size Content-Range values by @​trivikr in #​5120
• test: avoid global dispatcher state in mock client tests by @​trivikr in #​5258
• test: fix flaky permessage-deflate limit timeout by @​mcollina in #​5229
• test: drain request bodies in request tests by @​trivikr in #​5247
• test: reduce retry-after invalid date timing flake by @​trivikr in #​5250
• test: drive request timeout ticks after connect by @​trivikr in #​5251
• test: only fail max-listener checks on max-listener warnings by @​trivikr in #​5253
• test: avoid double-closing server in client-request test by @​trivikr in #​5255
• fix(retry-handler): validate response body length against Content-Range by @​mcollina in #​4975
• test: wait for inflight-and-close body cleanup by @​trivikr in #​5261
• fix(test): make http2-pseudo-headers test order-independent by @​mcollina in #​5234
• fix: preserve fetch multipart body on MockAgent fallback by @​mcollina in #​5269
• ci: build Node FFI fixtures for shared-builtin tests by @​trivikr in #​5275
• test: deflake issue-5137 stream count assertion by @​trivikr in #​5243
• fix: replace finished() with writable lifecycle tracking by @​trivikr in #​5001
• perf(client-h2): reuse request stream handlers by @​trivikr in #​5280
• fix: prevent pipeline body replay on redirect by @​mcollina in #​5274
• fix(types): remove throwOnError from Dispatcher.RequestOptions by @​Zelys-DFKH in #​5279
• fix: validate EOF for chunked h1 responses by @​mcollina in #​5273
• test: deflake parser-issues teardown by @​mcollina in #​5278
• test: make http2-alpn control requests explicit by @​trivikr in #​5252
• test: include cache-test worker metadata on failure by @​trivikr in #​5276
• test: include after in parser-issues by @​trivikr in #​5284
• cache formdata boundary by @​KhafraDev in #​5292
• build(deps-dev): bump fast-check from 4.7.0 to 4.8.0 by @​dependabot[bot] in #​5298
• test: retry crashed cache-test workers once by @​trivikr in #​5294
• Add Node 26 to the matrix by @​mcollina in #​5271
• perf(client-h2): reuse request upgrade stream handlers by @​trivikr in #​5293
• build(deps-dev): bump jest from 30.3.0 to 30.4.2 by @​dependabot[bot] in #​5297
• build(deps): bump uWebSockets.js from v20.66.0 to v20.67.0 in /benchmarks by @​dependabot[bot] in #​5299
• test: fix flaky http2-dispatcher WebSocket upgrade tests by @​mcollina in #​5304

New Contributors

• @​Zelys-DFKH made their first contribution in #​5279

Full Changelog: nodejs/undici@v8.2.0...v8.3.0

v8.2.0

Compare Source

What's Changed

• chore: use native addAbortListener by @​trivikr in #​5021
• fix: fix the logic for the UNDICI_NO_WASM_SIMD environment variable by @​ShenHongFei in #​5026
• fix(http2): send body for non-expectsPayload methods with content by @​mcollina in #​5030
• fix(fetch): correct 'navigator' typo to 'navigate' in fetchFinale by @​deepview-autofix in #​5044
• fix(webidl): correct signed integer bounds in ConvertToInt by @​deepview-autofix in #​5038
• fix(fetch): use || for CRLF check in multipart formdata-parser by @​deepview-autofix in #​5049
• fix(websocket): correct argument order in WebSocketStream UTF-8 failure by @​deepview-autofix in #​5050
• fix(pool): propagate useH2c to connector when connections > 1 by @​SAY-5 in #​5031
• fix(cache): return immutable staleAt in milliseconds by @​deepview-autofix in #​5048
• fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing by @​deepview-autofix in #​5041
• fix(cache): evict oldest entries first in SqliteCacheStore prune by @​deepview-autofix in #​5039
• fix(socks5): correctly expand IPv6 '::' compressed notation by @​deepview-autofix in #​5046
• Remove unused func and unnecessary shim by @​tsctx in #​5053
• fix: reject malformed content-length request headers by @​trivikr in #​5060
• fix(request): reject NaN highWaterMark during option validation by @​trivikr in #​5062
• docs: fix broken links in docsify sidebar by @​maruthang in #​5065
• fix(fetch): prefer filename* over filename in multipart form-data by @​maruthang in #​5068
• fix(http2): reject websocket upgrades on non-200 responses by @​trivikr in #​5072
• feat: support username-only proxy authentication in ProxyAgent by @​rossilor95 in #​4935
• build(deps): bump uWebSockets.js from v20.58.0 to v20.64.0 in /benchmarks by @​dependabot[bot] in #​5083
• fix(client-h2): stop double-decrementing kOpenStreams on stream timeout by @​SAY-5 in #​5076
• fix(http2): reject upgrade streams closed before response headers by @​trivikr in #​5069
• fix(http2): allow GET and HEAD request bodies over h2 by @​trivikr in #​5058
• fix(cache): include query in cache key when opts.path is undefined by @​maruthang in #​5081
• fix: avoid premature cleanup of dispatcher in Agent by @​bienzaaron in #​5034
• fix(http2): record ping failures on the socket by @​trivikr in #​5075
• add undici security policy by @​mcollina in #​5056
• fix(mock): make filterCalls AND operator actually intersect results by @​deepview-autofix in #​5045
• fix(socks5): enforce authenticated state before CONNECT by @​trivikr in #​5097
• fix(cache): skip expired sqlite vary entries during lookup by @​trivikr in #​5095
• fix: enforce maxCachedSessions in TLS session cache by @​trivikr in #​5102
• fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly by @​trivikr in #​5099
• fix: handle invalid HTTP/2 connection headers (#​4356) by @​mcollina in #​5101
• fix(interceptor): add throwOnMaxRedirect to types and interceptor opts by @​maruthang in #​5066
• fix(websocket): avoid double-closing canceled stream readers by @​colinaaa in #​5105
• fix(cache): persist vary when updating sqlite cache entries by @​trivikr in #​5109
• refactor(h1): track HEAD keep-alive override as boolean by @​trivikr in #​5110
• client: cache llhttp wasm buffer view by @​trivikr in #​5115
• deps: update llhttp to 9.3.1 by @​mcollina in #​5113
• fix(http2): preserve accepted streams after GOAWAY by @​trivikr in #​5090
• fix: reuse parser WeakRef for timeout callbacks by @​trivikr in #​5125
• fix: stop buffering data after SOCKS5 connect by @​trivikr in #​5118
• perf(http2): avoid response header reserialization by @​trivikr in #​5085
• fix(cache): enforce sqlite maxCount after insert by @​trivikr in #​5112
• perf: reduce EventSourceStream parser allocations by @​trivikr in #​5032
• types(dispatcher): use OutgoingHttpHeaders for request headers by @​maruthang in #​5067
• cleanup: delete redundant .gitkeep file by @​shivarm in #​5133
• fix(http2): respect peer max concurrent streams by @​trivikr in #​5135
• test(http2): ensure websocket upgrade resumes queued requests by @​trivikr in #​5132
• test(mock): cover SnapshotAgent excludeUrls playback by @​maruthang in #​5080
• perf(client): parse h1 content-length statelessly by @​trivikr in #​5124
• perf(http2): reduce writeH2 per-request callback allocations by @​trivikr in #​5138
• chore(deps): add lockfile by @​aduh95 in #​5139
• perf: use byteLength property for binary body chunks by @​trivikr in #​5126
• fix(cache): allow streamed entries at maxEntrySize limit by @​trivikr in #​5129
• perf(http2): avoid cloning headers when removing status by @​trivikr in #​5127
• fix: validate H2CClient maxConcurrentStreams option by @​trivikr in #​5143
• perf: avoid redundant scans in BalancedPool dispatcher selection by @​trivikr in #​5146
• fix: replace stale pool clients under connection limit by @​trivikr in #​5145

New Contributors

• @​deepview-autofix made their first contribution in #​5044
• @​SAY-5 made their first contribution in #​5031
• @​maruthang made their first contribution in #​5065
• @​bienzaaron made their first contribution in #​5034

Full Changelog: nodejs/undici@v8.1.0...v8.2.0

v8.1.0

Compare Source

What's Changed

• feat: add configurable maxPayloadSize for WebSocket by @​mcollina in #​4955

Full Changelog: nodejs/undici@v8.0.3...v8.1.0

v8.0.3

Compare Source

What's Changed

• docs: add an Undici 7 to 8 migration guide by @​mcollina in #​4963
• chore: switch deferred promise with Promise.withResolvers() by @​trivikr in #​4972
• chore: remove zstd and markAsUncloneable feature probes by @​trivikr in #​4968
• test: remove obsolete nodeMajor/nodeMinor util exports by @​trivikr in #​4976
• chore: use Promise.withResolvers in SOCKS5 proxy agent by @​trivikr in #​4978
• build(deps-dev): bump esbuild from 0.27.7 to 0.28.0 by @​dependabot[bot] in #​4985
• build(deps-dev): bump proxy from 2.2.0 to 4.0.0 by @​dependabot[bot] in #​4987
• build(deps): bump got from 14.6.6 to 15.0.0 in /benchmarks by @​dependabot[bot] in #​4988
• chore: use Object.hasOwn for iterator checks by @​trivikr in #​4979
• doc: Update dump({ limit: Integer }) default value by @​samuel871211 in #​4981
• fix: avoid 401 failures for stream-backed request bodies by @​mcollina in #​4941
• test: remove unsupported Node version checks from fetch tests by @​trivikr in #​4977
• types: remove legacy AbortSignal alias now provided by @​types/node by @​trivikr in #​4995
• fix: remove stale constructor interceptors from types and pool options by @​trivikr in #​4994
• doc: update incorrect description of dump.maxSize by @​samuel871211 in #​4982
• ci: enable coverage for node.js 25 by @​shivarm in #​4980
• refactor: reuse wrapRequestBody in RedirectHandler by @​trivikr in #​4992
• fix: preserve connect option in H2CClient by @​trivikr in #​5000
• types: document Client and H2CClient opti

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	undici@​8.5.0

View full report